Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of Fund Withdrawal Mechanism in RAACNFT Contract Causing Loss of Fund

roccomania

Summary

The RAACNFT contract allows users to mint NFTs by transferring ERC20 tokens to the contract. However, the contract lacks a mechanism to withdraw these funds, leading to lockup of assets.

Vulnerability Details

Explanation

The RAACNFT::mint function transfers ERC20 tokens from the user to the contract during the NFT minting process. However, the contract does not provide any functionality to withdraw these funds. As a result, the tokens remain locked in the contract indefinitely, making them inaccessible to the protocol or its administrators.

Root Cause in the Contract Function

The issue lies in the following line of the mint function:

function mint(uint256 _tokenId, uint256 _amount) public override {
uint256 price = raac_hp.tokenToHousePrice(_tokenId);
if (price == 0) revert RAACNFT__HousePrice();
if (price > _amount) revert RAACNFT__InsufficientFundsMint();
// Transfer ERC20 tokens from user to contract
@> token.safeTransferFrom(msg.sender, address(this), _amount); //@audit-issue ----> No Mechanism to Withdraw Funds
// Mint NFT to user
_safeMint(msg.sender, _tokenId);
// Refund excess amount
if (_amount > price) {
uint256 refundAmount = _amount - price;
token.safeTransfer(msg.sender, refundAmount);
}
emit NFTMinted(msg.sender, _tokenId, price);
}

While the contract collects ERC20 tokens during the minting process, there is no function to retrieve these tokens. This oversight results in:

  • Asset Lockup: Funds transferred to the contract cannot be accessed or utilized by the protocol.

  • Operational Inefficiency: The protocol cannot manage or redistribute collected funds, leading to inefficiencies in financial operations.

Proof of Concept

Scenario Example

  1. User Mints NFT: A user mints an NFT by transferring 100 ERC20 tokens to the contract.

  2. Funds Locked: The 100 ERC20 tokens remain in the contract with no way to withdraw or utilize them.

  3. Financial Loss: The protocol cannot access these funds, leading to potential financial losses.

Impact

  • Asset Lockup: Funds transferred to the contract are permanently locked, making them inaccessible to the protocol.

  • Financial Loss: The protocol cannot utilize or redistribute collected funds, leading to potential financial losses.

Tools Used

  • Manual Code Review: The vulnerability was identified through a manual review of the RAACNFT contract.

  • Foundry

Recommendations

Implement Withdrawal Mechanism:

  • Add a function to allow the contract owner or authorized administrators to withdraw collected ERC20 tokens.

  • Ensure that only authorized entities (e.g., the contract owner or a dedicated admin) can withdraw funds.

function withdrawTokens( address _to, uint256 _amount) external onlyOwner {
if ( _to == address(0)) revert RAACNFT__InvalidAddress();
IERC20(token).safeTransfer(_to, _amount);
emit TokensWithdrawn(token, _to, _amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Validated
Assigned finding tags:

RAACNFT collects payment for NFT minting but lacks withdrawal functionality, permanently locking all tokens in the contract

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!